In my last blog, I wondered why the Information Commissioner was spending time and money taking enforcement action against organisations that have been closed down, and complaining that the ICO’s enforcement focus is locked on the security shortcomings of the public sector. In order to ensure that the Act is complied with as a whole, I believe that the ICO should pay a lot more attention to the other seven principles found in the DPA, and equally, be more willing to go after the private sector.
The ICO is already making its excuses about why it doesn’t need to go private. The new version of their ‘Regulatory Action Strategy’ lays on limousine service for the status quo: “In selecting areas for attention we will bear in mind the extent to which market forces can themselves act as a regulator. Thus the public sector, particularly where processing is hidden from view, where individuals have little or no choice and where sensitive personal data are involved might well receive more attention from us than the private sector.” At least the former Deputy Commissioner Francis Aldhouse was more direct, when he reportedly said of the press: ‘They’re too big for us’.
So that’s the story: competition will take care of all that pesky privacy nonsense, and we can concentrate all of our efforts getting GP surgeries in Armagh to sign meaningless undertakings. I feel so reassured. After all, all the competition from Habbo Hotel and Ask.fm has really reined in Facebook, hasn’t it? It’s not as if we live in a world where commercial companies suck the marrow out of their customers’ identities minute by minute, and a rampant market in personal information goes on unchecked.
I’ve told this story many times before, but I’m going to tell it again. At the first Data Protection Officer conference in Manchester, senior ICO figures discussed enforcement and trotted out this same argument that it was more important to go after the public sector because market forces would force companies to improve their privacy standards. Shortly afterwards, the next speaker – the DP officer for one of the large mobile phone companies – took to the stage to maker her presentation, and told the assembled Wilmslow Massive that this idea was nonsense, and nobody in the private sector was going to spend time and money on gold-plated privacy policies. I regret that I didn’t have a personal-data-slurping smartphone at the time to capture the collective discomfort on certain senior faces, but it wasn’t enough to dislodge the idea.
I don’t know whether the authors of the Regulatory Action Strategy actually believe this assertion – if they have any evidence or research to back it up, they should publish it. I’m certain they have none, and it’s just a convenient excuse for inaction. Nevertheless, just in case, the ICO decides to change its approach, I would like to present the first in an occasional series which I am calling ‘PEOPLE OF THE INFORMATION COMMISSIONER’S OFFICE, CAN I INTEREST YOU IN SOME OF THE OTHER PRINCIPLES?”
Regular readers of Bedfordshire on Sunday will already be aware of the controversy surrounding the new Morrison’s store on Ampthill Road in the town – it’s an excellent piece of reporting and well worth reading before any pontificating from me. The supermarket chain has apparently carried out criminal records checks on every one of the 295 new staff, as the paper says: “to find out not only about any criminal convictions, but also reprimands, warnings and cautions for minor offences which would be categorised as spent under the Rehabilitation of Offenders Act 1974”. Curiously, Morrison used Disclosure Scotland, rather than the Disclosure and Barring Service (formerly the Criminal Records Bureau) even though the store is in Bedford and Wm. Morrison Supermarkets plc is headquartered in Yorkshire. This may be explained by the fact that DBS told the paper that they wouldn’t offer the check for retail staff that Morrisons sought.
The first Data Protection principle states that any processing of personal data must be fair, lawful and carried out according to a set of conditions. ‘Fair’ should clear two thresholds. Firstly the use of data should be just as the DPA says ‘ ‘fair’, which my dictionary defines as ‘treating people equally without favouritism or discrimination’. I think it should be possible to get a job stacking shelves in a supermarket without having to surrender sensitive personal data to my employer, especially if any convictions are spent, or if I am not going to handle money. I am certain that this process is unfair.
The second meaning of ‘fair’ is more specific – Morrison will have to tell all of its employees that the check is being carried out and why. Here, the Bedfordshire on Sunday makes its most striking claim, and one that Morrisons plainly deny. The paper points out that standard Morrisons job application form does not mention any form of vetting or verification, while Morrisons say “All checks comply with the law and are carried out with the full knowledge and authorisation of all applicants”. I’m sceptical about the first claim, but the second part is clearly at odds with the paper’s implication, so it’s impossible to say for sure. However, the idea that a supermarket might be carrying out criminal records checks on employees without their knowledge is serious enough for the ICO to investigate, even if it turns out to be untrue.
Leaving lawfulness aside for now, the other part of principle one is that Morrisons have to meet two conditions (two, because information about a person’s previous criminal record is sensitive personal data). At the very least, Morrisons would have to show that they have explicit consent to carry these checks out, and if their standard application form doesn’t properly obtain this from every person subject to the checks, the company will need to demonstrate where else they obtained it. Bear in mind that even if Morrisons have obtained explicit consent to carry the checks out, their processing of the data still has to be ‘fair’. Whether they can do that in an austere working climate where many would probably walk through fire to get a job is unclear to me. Besides, the paper reports that the chain “insists” on the checks, which makes the consent option harder to establish. And if it isn’t consent, what else?
And besides, there is another hurdle that I find it very hard to believe that Morrisons can clear. The third principle states that all uses of personal data should be ‘adequate, relevant and not excessive’. Assuming that Bedfordshire on Sunday have it right, is a full criminal history including spent convictions and ancient cautions really relevant to whether a person is suitable to serve the chain’s hand battered, award winning fish and chips in the Ampthill Road branch’s café? Is it not excessive for the grocer to know the criminal history of the shelf-stackers? The fact that the DBS wouldn’t even offer the grocer the opportunity to find out, forcing them to go to an organisation covered by a different legal system cannot be ignored. Unless all supermarket chains and retailers carry out the same checks, Morrison’s actions would seem excessive on their own terms – if this is more widespread, I think there is a huge problem of the unnecessary and disproportionate use of personal data.
Of course, the ICO’s position on all of this is that the best regulator is competition, rather than the actual regulator. I feel certain that Morrisons will soon feel the pinch as customers react to the misuse of personal data by going to Asda instead. Indeed, ICO staff can set an example, as there is a Morrisons Local a short walk down Water Lane in Wilmslow where the ICO is based. If they shun the establishment and walk the other way to Waitrose or Sainsburys, perhaps I will be proved wrong. However, Morrisons themselves seem unmoved by the Regulatory Action Strategy, as Bedfordshire on Sunday reports: “Morrisons told Bedfordshire on Sunday that the reason they insist all staff be subjected to the checks is because their customers expect it”.